How do we handle security at NT-ware?

We have implemented industry-leading security and vulnerability assessment tools to maintain a strong security position.

All our infrastructure is regularly scanned by industry-leading vulnerability assessment tools. Every endpoint in our company is protected by enterprise-grade antivirus and malware detection. We have invested heavily in the Microsoft Security Suite to protect our email and file-level security handling. We proudly support and enforce the safe handling and distribution of email through Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) security. All our mail infrastructure is protected and filtered through Microsoft Exchange Online Security features, Phish, SPAM, and Malware detection. End-users are also protected using Microsoft Safe Links, attachment sandboxing and desktop virus integrations on-demand detection.

Next to our security infrastructure, staff identity protection is vital. Multi-factor Authentication (MFA) is mandatory for all cloud accounts, integrated Azure accounts, and any 3rd-party services we use. High-value assets and service accounts can be further protected using Microsoft Entra Conditional Access. All workstations are automatically locked after 5 minutes of inactivity.

Additionally, we actively participate in security readiness programs and training, ensuring our staff remains informed and alert. These include, but are not limited to, cybersecurity assessments, simulated phishing campaigns, and access to external security training programs.

uniFLOW Online within Microsoft Azure

uniFLOW Online is delivered as pure Software-as-a-Service (SaaS), built natively on the Microsoft Azure Web Service platform.

The NT-ware Operations and Development access to the Microsoft Azure tenants is secured through Microsoft Entra ID Identity Protection, which also incorporates the following security standards:

• All logins must be by a multi-factor authenticated (MFA) protected user, which is controlled and enforced through Microsoft Entra Conditional Access.
• Microsoft Entra Privileged Identity Management (PIM) is helping to enforce our 'Least Privileged' approach.
• Azure Virtual Server infrastructure is secured behind Azure Bastion.
• Web services are protected using a combination of Azure Firewall and Azure Application Gateways.

The above list is not exhaustive, and we repeatedly review and improve our security standing.

NT-ware security policies

Security is a layered approach within NT-ware. We work with enterprise-level products and services to protect both ourselves and your data.

Our policies have been developed by capturing best practices from industry certification standards, including ISO 27001, and by aligning our measures with all relevant controls and sub-controls for Group 2 of the Top 18 CIS Controls® (Center for Internet Security). This initiative forms much of our security planning and future strategy. We perform internal reviews of this program every six months and are also externally reviewed by the Canon Europe Security and Forensics team.

We have established a robust set of security guidelines that govern both end-user and IT operations within NT-ware. Hardware disposal, remote access, network segmentation, and BYOD are just a few examples of the comprehensive set. These are openly communicated within the company and form part of our onboarding program for new starters. All security policies are reviewed at least annually, and any changes are communicated to all concerned.

Development security standards

Security and risk management are initiated during the product planning phase, which involves all key stakeholders (dedicated Product Planning, Development, Security, and Quality Assurance teams).

All members of the NT-ware Development team adhere to best coding practices to prevent security leaks and vulnerabilities from the outset. We utilize multiple sources as input to ensure secure development, including the Common Weakness Enumeration (CWE), the OWASP Top 10 Most Critical Web Application Security Risks, and the National Cyber Security Centre (NCSC), among others. This way, we stay up to date on the latest security findings and threats affecting our software products.

The utilization of the following industry security suites is also part of our development and quality assurance processes:

• Atlassian Jira software package to organize sprints and product releases.
• Visual Studio is the leading development platform.
• StyleCop/ JetBrains ReSharper for static code analysis.
• Jenkins as a continuous integration system.
• Tricentis Tosca to perform automated smoke, scenario, functional, and load tests.

NT-ware development for uniFLOW and uniFLOW Online is in-house, with no involvement from contractors or external developers. Other software components, such as Canon-embedded device software, are developed in close cooperation with Canon Inc.'s development team. An external development company conducts non-Canon-embedded device development. NT-ware reviews development and company security practices to align with our best practices and methodologies.

All code changes and "check-ins" are performed through an open peer-review process, limiting the risk of any one individual injecting malicious code into our development pipeline.

Security Incident Management

We consider a security incident to be any instance in which there is an existing or impending negative impact on the confidentiality, integrity, or availability of our customers' data, NT-ware data, or NT-ware services. When we respond to security incidents, we continue to uphold our core values i.e., focusing on putting the best processes in place so that we handle security incidents in a way that is always aligned with the best interests of our customers and ensures they continue to have an outstanding experience when using our products.

Within NT-ware, we have a defined approach for responding to security incidents affecting our services or infrastructure. Our incident response approach includes comprehensive logging and monitoring of our products and infrastructure to ensure we quickly detect potential incidents. Defined processes ensure clarity on what needs to be done during an incident. This is managed by our IT and Operations team, coordinating with relevant departments and internal subject matter specialists. We also have access to a range of external experts to assist us with investigating and responding as effectively as possible.

More information on our Security Incident Management can be found here:

NT-ware Penetration Testing

The importance of performing Penetration Testing is recognized and actively performed with every feature release of uniFLOW Online and uniFLOW Server. For such testing, we work in conjunction with Canon Europe Security, ensuring that an accredited industry PEN testing and security organization carries out the testing.

Every report is reviewed directly by the Chief Information Security Officer (CISO) and Development Director. Additionally, matter specialists are consulted as needed. We review the threat for exploitability or attack vector among our key indicators to determine the priority and schedule accordingly.

All security incidents or findings discovered during testing will be ticketed in accordance with our Security Incident Management process. NT-ware regularly reviews ticket priorities and general security matters with key department heads.

For more information on our PEN Testing Methodology, click here:

Customer Penetration Testing

NT-ware fully supports customers performing PEN testing activities. We welcome the testing, as it provides valuable feedback from our customers and helps further improve the overall security position of uniFLOW Online. To do this safely, the instructions below must be followed if customers wish to PEN test uniFLOW Online.

Non-invasive testing

If the PEN testing is non-invasive, this can be performed directly against the customer's uniFLOW Online tenant. It is acknowledged that such "tests" happen on the internet every day against the online infrastructure. Such testing MUST NOT include any intentional service saturation, denial of service (DOS) tests that impact the system’s performance or stability, and would be a direct breach of the Service Agreement signed by all parties.

We request that any relevant findings be shared with NT-ware for review and qualification to rule out any false positive results.

What if I need to perform possible "invasive" testing?

Please contact Canon or your Canon Business Partner to submit a project request with NT-ware through our Jira Software ticketing system. We will review the request and, at the discretion of NT-ware, provide a suitable "test" tenant of uniFLOW Online that will not impact the service we provide to other customers.

• Requests are evaluated by NT-ware and, at the sole discretion of NT-ware, approved or rejected.
• The customer security team must provide NT-ware with timings for the test window when they will perform the PEN test.
• It is requested that the results of the PEN test be provided to NT-ware or, at the very least, any fail points.
• Should a non-disclosure agreement (NDA) be required for the sharing of information in any direction, this will be considered based on the engagement and planned exchange of information.
• Any other legal requirements from the customer must be presented in writing via the Canon and/or Canon Business Partner channel.

NT-ware VDP (Vulnerability Disclosure Policy)

At NT-ware, we view the security of our IT systems seriously and value the security community. Disclosure of security weaknesses helps us to safeguard the security and privacy of our users by acting as a trusted partner. This policy underlines the requirements and mechanisms of NT-ware’s IT Systems and Product Vulnerability Disclosure. It enables researchers to report security vulnerabilities safely and ethically to the NT-ware IT Operations team.

More information on our Vulnerability Disclosure Policy can be found here:

Infrastructure and hardware security

The physical security of our infrastructure and hardware is a crucial point to recognize. All uniFLOW Online hardware is hosted within Microsoft Azure data centers. For Microsoft Azure data center hardware disposal protocols, please refer to the Microsoft hardware disposal procedures.

NT-ware’s corporate IT infrastructure is hosted globally in Germany, Singapore, and the US office. We follow strict security access and hardware disposal processes in all locations.

• All data centers and server infrastructure are secured by key card access and restricted to IT personnel only.
• An established inventory system manages the hardware lifecycle within NT-ware.
• Hardware is disposed of in accordance with our strict "Hardware and Data Destruction Policy".
  • Hardware is always disposed of with an accredited eWaste service following ISO 14001.
  • Hard drives and any storage media containing personally identifiable information (PII) or company-sensitive data are destroyed by an industrial crusher.
  • Destruction services are accredited and/ or supervised by NT-ware staff to ensure they comply with our hardware handling policies.
• All NT-ware workstations and laptops must have full volume encryption enabled to mitigate unauthorized data access on lost or stolen equipment.
  "End-of-life" devices are returned to NT-ware headquarters' IT department or to local IT support staff for handling in accordance with our security guidelines.